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Please 



below 
or future 
unchanged 



amend Claims 1-7, 9-24 and 2-39, and please add claims 40-41 , all as shown 
Applicant reserves the right to prosecute any originally presented claims in a continuing 
appl cation. All pending claimsjare reproduced below, including those that remain 



1. (Currently Amended) A security 



resource or application, [[said]] the protected application or resource including an application 



container, the 
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AMENDMENT TO THE CLAIMS 



I 



system for allowing a client to access a protected 



security system comprising 



an application interface mechanism for receiving a n access request from a client to 
access [[a]] tlie protected application or; resource, and communicating [[said]] the access 
request to a sscurity service, wherein the 
container, and 
callback hand 



client makes the access request on the application 
the application container c^lls the security service with the access request and a 



a security service for making a decision to permit or deny [[said]] the access request, 
wherein the security service includes a plurality of security providers that may be plugged into 
the security service, and wherein the security providers use the callback handler to request 
context information from the application container for the access request, and wherein 
depending on Ithe]] output from [[the]] eacji security provider[[sJ the security service determines 
[[an]] entitlememte for the client to use witti the protected application or resource; and 

a resource interface for communicating permitted access requests to [[said]] the 
protected appl ication or resource , 

(Currently Amended) The security system of claim 1 wherein [[said]] ttie application interface 
mechanism includes an application container for reading an application deployment description and 
registering [[said]] the application deployment description within the security service. 

(Currently Amended) The securjty system of claim 2 wherein [[said]] the application 
cbntainer is ar Enterprise Java Beans container. 
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4. (Curre 
container is a 



ntiy Amended) The security system of claim 2 wherein [[said]] the application 
WebApp container. 



5. (Currently 
includes a plurality 
a contributory 



further includes 
of access 
decision by 



the 



Amended) The security system of claim 1 wherein [[said]] the security service 

i 

of access decision mechanisms for defining an access policy and for determining 



decision to permit, deny, or 



abstain from [[said]] the access request 



(Currently Amended) The security system of claim 5 wherein [[said]] the security service 
an access controller for transferring [[said]] the access request to [IsaidTI the plurality 
decision mechanisms, and for combining [[said]] the contributory decisions into an overall 
security service to permit or deny [[said]] the access request. 



7. (Currently Amended) The security system of claim 5 wherein [[said]] the access decision 
riiechanisms represent a business function related access policy. 



8. (Original) The security system of 



slaim 5 wherein access decisions may be added to the 



security servicje to reflect changes in the access policy 

9. (Currently Amended) The security system of claim 5 wherein [[said]] ttie access decision 
mechanisms are used to define [[an]] entitlements for [[said]J the client to access [[said]] the 
protected resource. 



t0. (Currently Amended) 
of [[said]] the 



request 



The security jsystem of claim 5 wherein a deny or abstain by any one 
access decision mechanisms causes the security service to deny the access request 



11, (Currently Amended) The security system of claim 5 wherein an abstain by any one of 
[[said]] the access decision mechanisms cloes not cause the security service to deny the access 
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12. (Currently Amended) The security system of claim 5 wherein [[said]) the security service 
further includes an audit mechanism for auditing the determinations of [[saidj the plurality of access 



1 3. (Currently Amended) The security system of claim 1 wherein [[said]] the resource interface 



includes an interface mechanism to pass 



access requests to or from a protected resource. 



! 

14. (Currently Amended) The security system of claim 13 wherein [[said]] the interface 
mechanism includes a Java J2EE security interface. 

15. (Currently Amended) The security system of claim 13 wherein [[said]] the interface 

mechanism in dudes a security provider interface. 

i 

16. (Currently Amended) The security system of claim 13 wherein [[said]] the interface 
mechanism is included as a plug in in [[saiid]] the resource interface. 



system of claim 1 wherein the security service further 
or deny a response to [[said]] the access request from 
the client 



17. (Currently Amended) Thesecuri 
makes a decision on whether to permit 
[[said]] the projected resource to [[said]] 

I 

1-8. (Currently Amended) A method of Allowing a client to access a protected application, [[said]] 

i 

the application including an application container, the method comprising: 

receiving at an application container a n access request from a client to access a protected 

application : 1 

communicating the access requestfrom the application containerto [[the]] a security service 



together with s 



Attorney Docket 



callback handler; 



making a decision at [[said]] the security service to permit or deny [[said access]] the access 
request, wherein the security service includes a plurality of security providers that may be plugged 
into the security service; | 

using the callback handler at each security provider to request context information from the 
application container for the access request; 
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commlunicating a permitted access 



19. 

mechanism in 
registering [[ 



abstain from [ 
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client to use with the protected application depending 
providers]]; and 
request to the protected application. 



(Currently Amended) The method of claim 18 wherein [[said]] the application interface 
eludes an application contaiperfor reading an application deployment description and 
id]] the deployment description within the security service. 



20. (Currehtly Amended) 
Enterprise Jaya 



The method 
Beans container. 



21 . (Currehtly Amended) The method 
WebApp container, 



of claim 19 wherein [[said]] the application container is an 



of claim 1 9 wherein [[said]] the application container is a 



22. (Curreptly Amended) The method of claim 1 8 further comprising: 

defining an access policy via a plurality of access decision mechanisms withfn [[said]] the 
security service; and, 

detenr ining at each access decision mechanism a contributory decision to permit, deny, or 
said]] the access request. 



I 



23. (Currently Amended) The method] of claim 22 further comprising: 

transferring via an access controljer [[said]] the access request to [[said]] the plurality of 
access decision mechanisms, and combining [[said]] the contributory decisions into an overall 

decision by the security sen/ice to permit or deny [[said]] the access request. 

I 
j 

24. (Currently Amended) The method of claim 22 wherein [[said]] the access decision 

mechanisms represent a business function related access policy. 

i 

I 
i 

25. (Original) The method of claim 22 wherein access decisions may be added to the security 
service to reflect changes in the access policy- 



Attorney Dockei 

Jmissud/beas/1 b847usO/1084usQ 



5- 

No.:BEAS-01084USO 

,8.26.05 FOA Reply.doc 



PAGE 13/23 * RCVD AT 1/26/2006 8:52:45 PM [Eastern Standard Time] * SVR:USPTO-EFXRF-6/25 * DNIS:2738300 * CSID:415 362 2928 * DURATION (mm-ss):06-22 



BFST M/AII ARI P nnov 



01/26/2006 17 * 57 FAZ, 415 362 2925 



Application No 
Final Office Action 
RCE Dated: January 



26 



(Cui 
using 



FLIESLER MEYER LLP -+ USPTO CENTRAL 



21014 



09/878,536 

dated August 26, 2005 
26, 2005 



nrently Amended) The method of claim 22 further comprising: 

[said]] the access decision (mechanisms to define [[an]] entitlements for [[said]] the 
client to access [[said]] the protected resource. 



27. (Currently Amended) The method of claim 22 wherein a deny or abstain by any one of 
[[said]] the access decision mechanisms causes the security service to deny the access request. 



28, (Currently Amended) The method! of claim 22 wherein an abstain by any one of [[said]] the 
access decision mechanisms does not cause the security service to deny the access request. 

29, (Currently Amended) The method of claim 22 further comprising: 

auditinjg via an audit mechanist the determinations of [[said]] the plurality of access 
requests. j \ 

i 

30, (Currently Amended) The method bf claim 18 wherein QsaidJ the step of communicating the 
access requeslt includes passing access requests via an interface mechanism to orfrom a protected 
resource. j 



31. (Currently Amended) The method of claim 30 wherein [[said]] the interface mechanism 
includes a Java J2EE security interface, j 

32. (Currently Amended) The method of claim 30 wherein [[said]] the interface mechanism 
includes a security provider interface. j 

i 
i 

33. (Currently Amended) The methodlof claim 30 wherein [[said]] the interface mechanism is 
included as a plug in in [[said]] the resource interface. 

j 

34. (Currently Amended) The method (of claim 18 further comprising: 



making 



a decision on whether to pjermit or deny a response to [[said]] the access request 



from [[said]] the protected resource to [[sajdj] She client. 
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35. (Currently Amended) A method for determining [[a]] user entitlements to access protected 
resources in e\ secure environment, comprising: 

receiving an access request from a user application to access a protected resource, by 
invoking a security service with [[said]] the access request and a callback; 

; to access [[said]] the protected resource, wherein [[said]] 
f of security providers that may be plugged into the security 
service, and vfrherein the security providep use a callback handler to request context information 
from [[the]] an application container for thfe access request; 

making a decision at [[said]] the security service based on [[said]] the user entitlements to 
permit or deny [[said]] the access request; and 
the steps of either j 

(a) communicating a permijtted access request to [[said]] the protected resource, or 

(b) denying a denied access request to [[said]] the protected resource. 

I 
i 

36. (Currently Amended) The methojd of claim 35 wherein if [[said]] the access request is 
permitted [[said]] entitlements also determines a type of access available to [[the]] a user of [[said]] 



the protected resource 



37. (Currently Amended) The methodj of claim 36 wherein [[said]] the type of access includes 

any of view, modify, delete, or copy, any pjart or all of [[said]] the protected resource. 

i 

i 

38. (Currently Amended) The methcjd of claim 35 wherein information about [[said]] user 

entitlements can be communicated from a first security realm to a second security realm. 

! 
I 

39. (Currently Amended) The method of claim 38 wherein additional information from a first 
can be used to modify the user entitlements, prior to communicating [[said]] the 



security realm 

information about [[said]] user entitlement^ from UsaidJ] the first security realm to [[said]] the second 
security realm] ! 

40, (New) The security system of claim 1 , wherein entitlements comprise at least one of 
business logic and functionality entitlements. 
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41. 



(New) 
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The security system of claim 1 , wherein context information comprises at least one of 
the identity o(f the protected resource c}r application, one or more values of access request 
parameters and network or internet protopol address of the client 
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